Re: Question re: sql injection
- From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
- Date: Fri, 29 Jun 2007 09:33:44 -0400
Andrew Hutchings wrote:
shimmyshack wrote:On Jun 28, 10:28 pm, jb <jbri...@xxxxxxxxx> wrote:does wrapping the string in double quotes somehow tell mysql to treat
the contents within as literal? Thus making it sql injection safe?
just use myql_real_escape_string throughout.
That won't cover things like unicode sql injection attacks for starters. Prepared statements are much safer but you need mysqli on your PHP installation (or a lot of voodoo with the standard mysql library).
Actually, it will. mysql_real_escape_string is charset dependent. If you're using one of the unicode charsets in your table, mysql_real_escape_string will handle it. And if you're not using unicode, the injection won't work, anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.
- Follow-Ups:
- Re: Question re: sql injection
- From: Andrew Hutchings
- Re: Question re: sql injection
- References:
- Question re: sql injection
- From: jb
- Re: Question re: sql injection
- From: shimmyshack
- Re: Question re: sql injection
- From: Andrew Hutchings
- Question re: sql injection
- Prev by Date: Re: newbie
- Next by Date: Re: Question re: sql injection
- Previous by thread: Re: Question re: sql injection
- Next by thread: Re: Question re: sql injection
- Index(es):
Relevant Pages
|
